Data governance guide
Global CDN Data Residency and Sovereignty Guide
An edge footprint is only one part of the data position. Map cache, logs, security telemetry, keys, support access, and exports before relying on a residency claim.
On this page
“EU-hosted” is not a complete answer to privacy, security, or sovereignty questions. A CDN can process requests near users while control-plane access, TLS termination, logs, backups, support, and subprocessors follow different paths. This is a technical and procurement guide, not legal advice.
Overview
Outcome
Produce a component-level data map and evidence pack that lets privacy, security, and procurement teams assess the actual delivery service rather than a regional marketing label.
Map what each edge component may process
Do not assume every enabled product processes every category below. Scope depends on cache policy, logging fields, TLS design, routing, edge code, and support arrangements.
| Component | Data that may be processed | Question to answer |
|---|---|---|
| DNS and steering | Client or resolver metadata, hostname, routing decision | Where are queries processed and logged? |
| TLS and cache | Request/response content, headers, cookies, cache keys | Where can decryption and stored response handling occur? |
| WAF and bot controls | IPs, headers, ruleset matches, security events | Where are detection and forensic records retained? |
| Edge compute | Request fields, identity claims, response, state, function logs | Which regions execute and retain each element? |
| Management and support | Accounts, configuration, audit trails, tickets, diagnostic data | Who can access it and from where? |
- Client to edge
DNS, TLS, request metadata, cookies, headers, and payloads arrive.
- Delivery plane
Cache, WAF, bot, routing, and edge functions process selected fields.
- Origin plane
Forwarded headers, health checks, and cache fills reach services.
- Telemetry and control
Logs, exports, configuration, support, and key access create persistent paths.
A defensible residency assessment follows data through delivery, telemetry, and management planes, not just through the origin region.
Separate residency, sovereignty, and transfers
Residency is a stated location commitment for a specific data class and service component. Sovereignty is broader operational control over access, keys, subprocessors, legal requests, portability, and deletion. International transfers are a separate GDPR analysis: EU storage alone does not answer whether support access, telemetry export, or a subprocessor creates a third-country transfer.
component=WAF-events
data=IP, route-template, action, rule-ID
processing_region=contractual-service-scope
retention=security-policy
export_destination=customer-SIEM
access=least-privilege + audited
transfer_assessment=privacy-owner-review-requiredGive logs and cache their own review
Log fields can become the most persistent dataset in an edge architecture. Allowlist fields, redact query strings and secrets, set destination regions, restrict access, and define retention and deletion owners. A cache purge is not proof that logs, backups, analytics, or support artefacts are deleted. Public assets and authenticated HTML also have materially different cache risks.
Contract for evidence and exit
Ask for a service-by-service location matrix, subprocessor list and notice process, support-access controls, log-field options, DPA and transfer terms, incident cooperation, configuration export, purge support, deletion evidence, and migration assistance. Test an exit: export policies and logs, rotate credentials, remove origin allowlists, cut over safely, and retain evidence of completion.
Troubleshooting
Residency assessment failures
- Treating cache location as the only relevant processing location.
- Assuming a data-processing agreement and transfer mechanism are interchangeable.
- Enabling a new log, edge-compute, or support integration without updating the data map.
- Calling deletion complete without identifying logs, backups, customer destinations, and provider artefacts.
Related guides
Authoritative references
- GDPR, Regulation (EU) 2016/679
- EDPB Recommendations 01/2020 on supplementary transfer measures
- European Commission: international data transfers
- Cloudflare Data Localization Suite
- AWS CloudFront standard logging
Turn data location into a verifiable control
Optimi can help technical teams map delivery, telemetry, and management-plane evidence for their edge estate alongside privacy counsel.
Review edge data flows